Harald Barth | 25 Jul 15:06 2011

Re: Heimdal in Lion

The broken ssh in Lion has been assigned Bug ID# 9743343 (amongst
other duplicates). If there is anyone with information on progress on
this, I would be pleased to know. Otherwise I have to prepare a
workaround (in effect shipping a replacement ssh to these users which
want to use our services from OSX Lion), make the support web pages
etc etc. All resulting in more "Kerberos does not work, why are you
using that s***" talk which I really don't need.


PS: Since release (5 days) we have 2 uses which have fallen for the
"over 250 new features of OSX Lion" and no longer can log in to our

doug quaid | 25 Jul 09:38 2011

Disable password change for users via kadmind.acl or other

Is it possible to prevent all users from changing their password via kadmin? I am using Heimdal1.2 As far
as I can tell there is no way to do so. I run kadmin as a user,  the 'privileges' command says "none" and 'get'
fails, but I am able to issue the 'passwd' command.I have tried adding joe   get joe to kadmind.acl
with the expectation that joe would only have 'get' privileges but this still does not prevent joe from
changing joe's password.
Is there another way ? 

Stefan (metze) Metzmacher | 24 Jul 17:37 2011

lib/krb5: Allow any kvno to match when searching the keytab.

Hi Love,

is this patch acceptable for you?

Stefan (metze) Metzmacher | 24 Jul 17:34 2011

kdc: fix comparision between krb5int32 (int) and unsigned int

Hi Love,

I noticed a regression with this comit:

commit f5f9014c90cdf795867ad336803caf802bac7fed
Author: Love Hornquist Astrand <lha <at> h5l.org>
Date:   Fri Apr 29 20:25:05 2011 -0700

    Warning fixes from Christos Zoulas

    - shadowed variables
    - signed/unsigned confusion
    - const lossage
    - incomplete structure initializations
    - unused code
 kdc/krb5tgs.c |   15 ++++++++-------
 1 files changed, 8 insertions(+), 7 deletions(-)

Casting (int) to (size_t) is wrong.

Stefan (metze) Metzmacher | 24 Jul 17:29 2011

Set improved enctypes parameter defaults to better match the RFC.


is commit f93a56f931e91c7b8eeec83b94015604bbc898f1 of heimdal really

In Samba we needed to set c->use_strongest_server_key = TRUE in order to get
the same behavior as with heimdal 1.4.


Russ Allbery | 24 Jul 07:49 2011

Linking with Heimdal on Lion

Lion comes with Heimdal Kerberos libraries and an MIT Kerberos
compatibility shim.  Unfortunately, that shim doesn't implement
krb5_appdefault_*, which breaks the ability to get settings out of
krb5.conf.  I know those functions are available in the underlying Heimdal
libraries (but the calling sequence for the krb5_realm parameter is
different, which is probably why there has to be a compatibility shim).

All my existing configure machinery finds the MIT shim on Lion and
therefore thinks it can call krb5_appdefault_* with the MIT calling
convention, which results in a syslog'd error message and failure.

Does anyone know how I find and link against the actual Heimdal libraries
so that I can detect that I'm using Heimdal, use the appropriate
krb5_realm definition, and call the real krb5_appdefault_* functions?

(I don't have any Mac OS X systems personally.)


Russ Allbery (rra <at> stanford.edu)             <http://www.eyrie.org/~eagle/>

Jelmer Vernooij | 22 Jul 14:19 2011

[PATCH] cf: Also enable pthreads on Linux 3.

From: Jelmer Vernooij <jelmer <at> samba.org>

 cf/pthreads.m4 |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/cf/pthreads.m4 b/cf/pthreads.m4
index 7ce7310..209e4f3 100644
--- a/cf/pthreads.m4
+++ b/cf/pthreads.m4
 <at>  <at>  -41,7 +41,7  <at>  <at>  case "$host" in
 *-*-linux* | *-*-linux-gnu)
 	case `uname -r` in
-	2.*)
+	2.*|3.*)


Linus Nordberg | 17 Jul 11:08 2011

Replay cache in use?


It seems to me that Heimdal has a replay cache (lib/krb5/replay.c) but
that it's not being used.  Is that correct and if so, why is it not
being used?


Doug Sampson | 9 Jul 01:00 2011

Kerberos implementation in Netatalk

I'm having trouble getting Appletalk users authenticated via KRB5 on a
FreeBSD machine running netatalk in an Active Directory environment
utilizing Windows 2003 domain controllers. I'm seeing these in our afpd
error log:

Jul 07 16:40:00.888509 afpd[7283] {dsi_tcp.c:209} (I:DSI): AFP/TCP
session from
Jul 07 16:40:00.889514 afpd[7260] {server_child.c:387} (I:Default):
server_child[1] 7282 exited 1
Jul 07 16:40:00.890376 afpd[7260] {server_child.c:389} (I:Default):
server_child[1] 7283 done
Jul 07 16:40:00.939783 afpd[7284] {dsi_tcp.c:209} (I:DSI): AFP/TCP
session from
Jul 07 16:40:00.940199 afpd[7284] {afp_dsi.c:441} (D5:AFPDaemon): <==
Start AFP command: AFP_LOGIN_EXT
Jul 07 16:40:00.940319 afpd[7284] {afp_dsi.c:448} (D5:AFPDaemon): ==>
Jul 07 16:40:00.940668 afpd[7284] {afp_dsi.c:441} (D5:AFPDaemon): <==
Start AFP command: AFP_LOGINCONT
Jul 07 16:40:00.940690 afpd[7284] {uams_gss.c:549} (D5:UAMS): uams_gss.c
:LoginCont: client thinks user is doug
Jul 07 16:40:00.940708 afpd[7284] {uams_gss.c:152} (D5:UAMS):
get_afpd_principal: fqdn: aries.dawnsign.com:548
Jul 07 16:40:00.940725 afpd[7284] {uams_gss.c:156} (D5:UAMS):
get_afpd_principal: service: afpserver
Jul 07 16:40:00.940764 afpd[7284] {uams_gss.c:198} (D5:UAMS):
get_afpd_principal: importing principal `afpserver <at> aries.dawnsign.com'
Jul 07 16:40:00.942008 afpd[7284] {uams_gss.c:326} (D5:UAMS): acquire
credentials: acquiring credentials (uid = 0, keytab =
(Continue reading)

Harald Barth | 8 Jul 15:56 2011

Compat with MIT kadmin?

First the general question until I dig further: Should the kadmind
from Heimdal be compatible with the kadmin from MIT, for example to
get keytabs on machines with MIT software installed?

On the client side (Scientiffic Liniux 6.0):

# kadmin -p haba/admin
Authenticating as principal haba/admin with password.
Password for haba/admin <at> STACKEN.KTH.SE: 
Warning: Your password will expire in less than one hour on Thu Jan  1 01:00:00 1970
kadmin: GSS-API (or Kerberos) error while initializing kadmin interface


# rpm -qf /usr/bin/kadmin 

I dare to say that my principal does _not_ expire at time zero and
even if I set my passwd exp date to something in the future (instead
of never) it does not help :-(

kadmin> get haba/admin
            Principal: haba/admin <at> STACKEN.KTH.SE
    Principal expires: 2012-04-01 23:59:59 UTC
     Password expires: never
 Last password change: 2009-10-08 17:55:16 UTC
      Max ticket life: 1 day
   Max renewable life: 1 day
                 Kvno: 5
(Continue reading)

Friedrich Locke | 7 Jul 18:20 2011

mod_auth_kerb with heimdal : i am loosing my hairs and completely desperated for help

Dear list members,

i have a box i setted as a http server. I can log into this machine
via ssh using kerberos ticket (GSSAPI) and by providing directly a
password (that is lookup in my heimdal server).

I would like to let apache password authenticate through heimdal kdc.
So i setted mod_auth_kerb and when i try to access the home page my
web client shows up an authentication window requesting user name and
a password, i provide they both but i cannot authenticate.

What i get from apache logs is:

[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client] kerb_authenticate_user entered with user (NULL) and
auth_type Kerberos
[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client] Using HTTP/gustav.cpd.ufv.br <at> UFV.BR as server
principal for password verification
[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client] Trying to get TGT for user sioux <at> UFV.BR
[Thu Jul  7 13:17:00 2011] [error] [client]
krb5_get_init_creds_password() failed: Cannot contact any KDC for
requested realm
[Thu Jul  7 13:17:00 2011] [debug] src/mod_auth_kerb.c(0): [client] kerb_authenticate_user_krb5pwd ret=401 user=(NULL)

It sounds very strange to me. The message "Cannot contact any KDC for
requested realm" is weird because i can login into this host using
(Continue reading)